Closed 3schwartz closed 5 days ago
I was finally able to get email claims on ID tokens after renewing them using refresh tokens.
However, I'm still unsure why the configuration change to use_continue_with_transitions: true
resolved the issue. The only relevant information I could find was in the documentation here and a few related references (detailed below).
Could someone provide a more detailed explanation of how this configuration change affects the token behavior?
Earlier today, I created a new Ory project, an OAuth2 client (with the same configurations as previous clients that had issues), and a user using the default identity schema (preset://email).
I then initiated an OIDC flow with this new setup and observed that, unlike before, the email was successfully present on the ID token after renewal. However, when I used the same setup with my older project, client, and user(s), the issue persisted.
Upon comparing the oauth2-config and identity-config between the two projects, I noticed a difference in their identity configurations. Specifically:
in the new project I had
feature_flags:
...
use_continue_with_transitions: true
Whereas in the old project, it was:
feature_flags:
...
use_continue_with_transitions: false
Upon searching for use_continue_with_transitions
, I found these relevant issues and discussions:
Additionally, I found documentation stating that this setting:
...
This setting is enabled by default for new projects.
...
(Reference: Ory Kratos Native Recovery Flows Documentation)
We have not made any changes to these configurations, so it appears that the default value for this setting has been updated since we originally started our project. This change in the default configuration is likely the reason the old setup did not include the email claim on ID tokens after renewal.
After setting use_continue_with_transitions: true
in the old project, we now successfully receive email claims on our ID tokens after token renewal.
I'm a bit confused, in the section
and ID token now doesn’t have the email and sid claim
you show a JWT token that does have the email claim. It is missing the sid claim though!
So, I have tried to reproduce this issue both with the flag set to true and to false, however, I always get the same claims in the ID token from the refresh_token grant as I do from the original grant (email and sid). Therefore, I assume that this is some other issue and am closing this as can't reproduce. Please feel free to provide more details/context in case you find this issue again.
I'm a bit confused, in the section
and ID token now doesn’t have the email and sid claim
you show a JWT token that does have the email claim. It is missing the sid claim though!
Sorry it was a copy paste error. Updated now.
So, I have tried to reproduce this issue both with the flag set to true and to false, however, I always get the same claims in the ID token from the refresh_token grant as I do from the original grant (email and sid). Therefore, I assume that this is some other issue and am closing this as can't reproduce. Please feel free to provide more details/context in case you find this issue again.
I have compared both identity and oauth2 configuration and this one change is the only difference between the project where I have issues, and the new project which works.
Could you maybe help provide some links to documentation or give some details what this flags does in the backend use_continue_with_transitions: true
?
Preflight checklist
Ory Network Project
No response
Describe the bug
Issue
email
(andsid
) claim after issuing using refresh tokenemail
. It is only on the ID token.Details
We are using the
oidc-client-ts
(v 3.0.1) client in our frontend with the authorization code flow and refresh tokens, https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant.We have enabled the
openid
,email
andoffline_access
scope in the OAuth2 Client used.Our client setup are using
oidc-client-ts
:The first request to our token endpoint after a successfully login is using our authorization code. We call
https://<OUR_DOMAIN>.com/oauth2/token
with the form dataand we get response
Now the
email
claim is present in the id token but not in the access token.Access token
ID token
Now after we use our refresh token we call the token endpoint again
https://<OUR_DOMAIN>.com/oauth2/token
with bodywe get response
where access token contains
and ID token now doesn’t have the
email
andsid
claimReproducing the bug
openid email offline_access
sid
) claim are missing from the ID token. Still missing on the access tokenRelevant log output
No response
Relevant configuration
No response
Version
Using Ory network
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
None
Additional Context
No response